]> review.fuel-infra Code Review - openstack-build/neutron-build.git/commitdiff
Code Review / openstack-build / neutron-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: b257136)
Skip ARP protection if 0.0.0.0/0 in addr pairs
authorKevin Benton <blak111@gmail.com>
Wed, 3 Jun 2015 22:20:27 +0000 (15:20 -0700)
committerKevin Benton <blak111@gmail.com>
Thu, 25 Jun 2015 16:12:21 +0000 (09:12 -0700)
Don't setup ARP protection on ports with allowed address pairs
that allow them to use any IP address. This is necessary because
OVS doesn't support the /0 prefix in rules that match on ARP headers.

Related-Bug: #1461054
Closes-Bug: #1468009
Change-Id: I913a86f22b228aa11fa3dabd9493c3995198f7ec

neutron/plugins/openvswitch/agent/ovs_neutron_agent.py patch | blob | history
neutron/tests/functional/agent/test_ovs_flows.py patch | blob | history

diff --git a/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py b/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py
index 968fec88a2654c7c3372ae337a7fa4f89dfc17dc..791f368827a595b59694998b0715482cf62a6a6e 100644 (file)
--- a/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py
+++ b/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py
@@ -785,6 +785,10 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
 
         addresses = {ip for ip in addresses
                      if netaddr.IPNetwork(ip).version == 4}
+        if any(netaddr.IPNetwork(ip).prefixlen == 0 for ip in addresses):
+            # don't try to install protection because a /0 prefix allows any
+            # address anyway and the ARP_SPA can only match on /1 or more.
+            return
 
         bridge.install_arp_spoofing_protection(port=vif.ofport,
                                                ip_addresses=addresses)
diff --git a/neutron/tests/functional/agent/test_ovs_flows.py b/neutron/tests/functional/agent/test_ovs_flows.py
index 0108577bb0b2edc0c225ac64e3b00dea62525343..fbc76f7019922f6f98dedc716535f32412ddb8a0 100644 (file)
--- a/neutron/tests/functional/agent/test_ovs_flows.py
+++ b/neutron/tests/functional/agent/test_ovs_flows.py
@@ -158,6 +158,13 @@ class _ARPSpoofTestCase(object):
         self.dst_p.addr.add('%s/24' % self.dst_addr)
         net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
 
+    def test_arp_spoof_allowed_address_pairs_0cidr(self):
+        self._setup_arp_spoof_for_port(self.dst_p.name, ['9.9.9.9/0',
+                                                         '1.2.3.4'])
+        self.src_p.addr.add('%s/24' % self.src_addr)
+        self.dst_p.addr.add('%s/24' % self.dst_addr)
+        net_helpers.assert_ping(self.src_namespace, self.dst_addr)
+
     def test_arp_spoof_disable_port_security(self):
         # block first and then disable port security to make sure old rules
         # are cleared